Some Good News About CISA: It Doesn’t Include Senator Whitehouse's Dangerous CFAA Amendment

CISA passed out of the Senate by a disappointing vote of 74-21 last week. The bill has already passed out of the House, and now it goes to a conference committee to work out any differences between the House and Senate version, back to both houses for an up or down vote without any amendments, and then to the President’s desk. Unlike previous years, we haven’t heard any veto threats for CISA, so it’s clear some version of the fundamentally flawed bill will become law.

Senator Whitehouse’s amendment was in the list of amendments that the Senate agreed to consider in October. Fortunately, Senator Ron Wyden made it clear on the floor of the Senate on October 20th that he would object to moving the bill forward if this amendment were included because it would “significantly expand a badly outdated CFAA.”

The amendment was ultimately not included in the language the Senate voted to advance, a fact Senator Whitehouse was very upset about: he publicly blamed a “hidden pro-botnet, pro-foreign cyber criminal caucus” for persuading the “masters of the universe” to remove this amendment.

The emails from our supporters opposing this amendment made a difference. Unfortunately, we doubt that Whitehouse’s language is dead. It could very well come up during conference, especially since Senator Tom Carper said: “we will conference, I’m sure, with the House and we will have an opportunity to revisit this, so I just hope you’ll stay in touch with those of us who might be fortunate enough to be a conferee.” As Marcy Wheeler points out, “as Ranking Member of the Senate Homeland Security Committee [,he] would almost certainly be included in any conference on the bill.

What’s wrong with CISA

[T]this bill will do little to make Americans safer but will potentially reduce the personal privacy of millions of Americans in a very substantial way.

We couldn’t agree more with Senator Wyden’s analysis of the problems with CISA.

While we will push for changes in conference, nothing can fix the fact that CISA’s raison d’etre—giving the government more information—is not going to improve our security. It doesn't address the real cybersecurity problems that caused major computer data breaches like Target and the U.S. Office of Personnel Management (OPM). And that fundamental flaw is on top of the fact that CISA has vague definitions of key terms, creates aggressive new spying authorities for the government, and would make it much harder to sue companies that share your personal information for cybersecurity purposes.

Many of the companies that would supposedly benefit from CISA opposed the bill. Industry trade groups the Computer and Communications Industry Association and the Business Software Alliance came out against CISA in the last month leading up to the CISA vote. They were joined by Salesforce, Twitter, reddit, Yelp, and Apple. And security giant Symantec also "refuse[d] to support the bill," because it would have allowed “cyber threat indicators” to be used for purposes other than cybersecurity.

In other words, CISA sacrifices privacy for an illusion of better security, as Senator Wyden pointed out.

The Computer Fraud and Abuse Act, the federal anti-hacking law, has draconian penalties for poorly defined crimes. As a consequence, overzealous prosecutors can abuse the law by bringing criminal charges that are politically motivated,and pushing for harsh sentencing. The prosecution of activist Jeremy Hammond is a good example: he was charged with violating the CFAA after he allegedly hacked into the systems of private intelligence contractor Stratfor and leaked material that exposed surveillance on political protesters at the behest of both private companies and the government. He's now spending ten years in jail.

Senator Whitehouse’s amendment would have made the CFAA even easier to abuse. Its language created new CFAA crimes while lessening judicial oversight for sentencing of those crimes, all while lowering the standard for prosecuting some CFAA crimes. It also expanded trafficking prohibitions in a way that would threaten security research.

With the impending discussions about the budget, CISA may not be considered for several weeks. We’ll be keeping an eye out. And when it goes to conference, we’ll make it easy for you to let the conferees from the House and Senate know that these dangerous changes to the CFAA must not be included in the final legislation.

Related Updates

There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen...

This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders...

Attorney General nominee Sen. Jeff Sessions is testifying in front of the Senate Judiciary Committee today as part of his confirmation process. EFF has voiced concerns about President-elect Donald Trump’s nomination of Sessions to lead the Justice Department, citing past statements he has made and votes he has cast on...

"So one undereported aspect to the Safe Harbor decision is that much of it hangs off the judgement by the ECJ that it's the United States' existing surveillance laws that are the problem, not just the companies' compliance with EU privacy law," says Danny O'Brien, international director of the Electronic...

The White House endorsed the bill even before it passed the Senate, so it was no surprise that the president signed the must-pass federal budget bill to which the House of Representatives added CISA in December. And while the White House previously identified the need for...

Privacy advocates expressed dismay with this latest version of the legislation, particularly the opaque way in which a small group of lawmakers drafted the final version of the measure and then incorporated it into a colossal spending bill. "Such key legislation should not be sandwiched into the omnibus or a...

Today, House leadership released text of the 2016 "Omnibus package." The legislative package is supposed to deal exclusively with funding the federal government through 2016; however, leadership also managed to include a dangerous cybersecurity "information sharing" bill. The cybersecurity bill is a combination of three bad cybersecurity bills...

IF THE ZOMBIE HORROR GENRE teaches us anything, it is never to celebrate too soon. Beware the hubris of a character who walks from the graveyard victorious, failing to anticipate an undead hand pushing up through the soil. And so it was with defeat of the Cyber Intelligence Sharing...

Tonight’s Rumble discusses Paul Ryan becoming the next speaker, John Kasich’s lashing out at his rival candidates, and whether Trump is done. Thom talks about the Senate’s passing of the Cybersecurity Information Sharing Act (CISA) with the Electronic Freedom Frontier’s Nadia Kayyali, and in tonight’s Daily Take Thom discusses the...

"With security breaches like T-Mobile, Target, and [the US government's Office of Personnel Management] becoming the norm, Congress knows it needs to do something about cybersecurity," Mark Jaycox of the Electronic Frontier Foundation said in a statement Tuesday. "It chose to do the wrong thing."